Sunday, May 2, 2010

The Architecture of Consent

Sitting at supper one evening many years ago in Metz, France, I asked a Canadian military acquaintance how he planned to vote in the upcoming Canadian federal election.

"Same way as last time", he replied rather curtly.

"Yes but how was that?" I ventured.

"For the retention of the secret ballot!" he growled.

I looked up sharply from my supper plate expecting some sign of humour, but found myself peering into the cold, almost belligerent stare of a man who had killed and nearly been killed flying Spitfires in Malta in 1942, had faced the Viet Cong and been shot at again while a member of the Truce Commission in Viet Nam in 1956, and was now (1962) senior intelligence officer for the RCAF in Europe as the Berlin wall went up, the Cuban missile crisis was in full swing, and DeGaulle was being threatened (by elements of his own military) with assassination for pulling out of Algeria.

At a time when there were thought to be only two legitimate monopolies in democratic society, the authorization to bear arms and the right to print money, here was a military man saying he was willing to lay down his life, willing to die, to keep the keys to the gun locker in civilian hands!

For me, there was no more stark illustration of the difference between democratic and totalitarian regimes at the peak of the cold war.

Today, there is another battle underway that is every bit as pitched and critical to human freedom as was control of the arsenal sixty years ago.

Along with armaments and currencies, control over citizen identity is about to become the third leg in the proverbial barstool of core principles underlying democracy itself. It must remain in un-biased hands.

When the Internet first revealed its enormous potential for convenient transactions, most engineers assumed that citizen data would have to reside in unimaginably huge, centralized databases. The very thought of such repositories today, containing all personal identifiers on all citizens, has both civil servants and politicians silently and very uncomfortably squirming.

At best, some wonder if a new credibility for government itself might emerge from the fact that citizens trust them marginally more than they do vested commercial interests like Microsoft, Oracle or Computer Associates to hold all this data.

But lo-and-behold, in this era of executive exchanges between private and public sectors, and the blurring of boundaries within government in what Donald Savoie describes as the diminishing distinction between the roles of politicians and civil servants, it seems we must consider an entirely new paradigm in this area.

Visionaries among information technology professionals have taken up this cause of re-anchoring human identity and citizen consent, not with vested-interests in the private sector, nor even with the purportedly more altruistic public sector, but rather smack dab back in the hands of each and every individual citizen!

How can this be possible?

We can't even begin to understand this third pillar of democratic governance without first understanding that it is inextricably linked to anonymity.

The most fundamental insight of both psychology and philosophy is that human perception itself is contingent on contrast. Whether up-down, in-out, over-under, light-dark, night-day, hot-cold, male-female, or life-death … the human brain cannot even detect any of those singularities except in juxtaposition with their concomitant opposites.

That fact leads to an extraordinary question: "Can we develop an architecture of citizen identity and consent that is thoroughly rooted in a fundamental right to anonymity and yet so practical it can be embedded at the very core of all 21st Century transactions whether personal or electronic?

A brief Guide to Anonymity

Free people expect to consent before actions are taken on their behalf.

When we take a quiet stroll in the park, we consent before our cell phone discloses our GPS location. If we ask for tomorrow’s weather forecast on the Internet, the weather service has no need to know who is asking. If we want to access the cockpit of a fully loaded commercial airliner, however, we will be asked to surrender our left index finger print or the innards of our right eyeball for detailed examination.

The rule is very simple. The greater the potential damage that could arise from mistaken or fraudulent use of our identity, the more rigorously we should demand proper authentication before we consent.

The Players

Relying Party

If you were my doctor, I’d expect every pharmacist to make sure my prescription really came from you before acting in your name. And if you were my pharmacist, I’d sure want you to make sure the person trying to get the prescription filled really is me. In each case, the pharmacist or the doctor must rely on some trusted party to vouch for the doctor being a doctor, for the pharmacist being a pharmacist, for the prescription being a real one, and for me really being who I say I am.

In this context, the pharmacist and the doctor have to rely on someone they trust during their part in this transaction. The question then arises. On whom can they rely?

Authoritative Party

Currently, pharmacists rely on the College of Physicians and Surgeons to vouch for doctors and they rely on a Provincial Health Care Plan (HCP) to authenticate each patient. During a prescription-filing transaction, the College and the HCP each become an ‘Authoritative Party' at their appropriate stage in the transaction.

Identity Agent

Which leaves you and me, as citizen or consumer, to decide whether we even want these two parties talking to each other about us in the first place!

What are the conditions under which we authorize the pharmacist to check on us with the HCP, or to check on our doctor with the College of Physicians and Surgeons? Only if each of these preliminary transaction are completed with our consent, should the pharmacist then be permitted to dispense the drugs.

Credentials

In the context of identity and authentication, the trusted instrument that we use to express our consent is called a credential, something you, and your doctor, and your pharmacist trust to authenticate the person asking for the prescription in your name.

How trustworthy are your credentials? Do you think your pharmacist should trust anyone who tries to use your health card? Does your health card have your photo on it? How about your driver’s license? Even if it has a photo on it, how easily can it be faked? Can the photo be changed? Can the Provincial Licensing Office be fooled into issuing a credential with your name on it but a different photo? Can pharmacists or police officers trust that people using your credentials are really you?

In order for a credential to be trusted, the credential itself must come from an authoritative party who has taken sufficient time and effort to ensure you really were you in the first place, when the credential was issued!

For example, if a credential has been issued by someone who insists on meeting you in person, who keeps a recent address and photograph of you on file at all times, who has checked your finger prints, taken a retinal scan, or even demanded a DNA sample, then such a credential might not only be trusted in the first instance, but in fact might be trusted by other authoritative parties as a ‘Foundation Credential’ to be used when applying for other trusted credentials. That role, issuing Foundation Credentials that are so reliable they are trusted by other credential issuing parties, would seem more appropriately handled by a government you choose and hold accountable.

Currently in Canada, birth certificates, health cards, and even driver’s licenses are not yet trusted as Foundation Credentials because relying parties can’t be sure the issuer has taken sufficient care in authentication before issuing. And once issued, have they used the latest techniques against tampering or altering the credential?

Using the right words

Before going any further, let’s define three key words: Person, Identity and Credential.

The person is you! The physical you. Your actual flesh and blood.

Your identity is a collection of data that begins to accumulate from the moment of birth. It often starts with a hospital footprint taken within sight of your mother and stored with the names of your family, your date and place of birth, your given names, your ethnicity, and your blood type. With every passing day after that, more and more data is generated and accumulated: with doctors, dentists, schools, churches, recreation affiliations, motor vehicle bureaus, financial institutions, health care plans, employers, taxation records, passport offices and, eventually, a cemetery.

A credential is an instrument or document containing as little as possible, but just enough of the above identity elements for the type of transaction in progress. A confirmed, tamper-proof photograph might be enough for Hertz, Avis, Budget and the highway patrol, but to enter a Level-4 epidemiology research lab or the national intelligence headquarters might need you to surrender your index finger and your right eyeball!

Least Means and Minimum Data

These examples illustrate a powerful and essential constraint on how your credentials are used. Modern credentials should not only require your consent each time they are used, they must be 'smart' enough to only disclose to the Relying Party the absolute minimum amount of information required for the specific transaction in progress. That means the fewest and least intrusive elements of your identity needed to safely obtain the service based on a practical, unexaggerated calculation of the potential damage that could result from mistaken or fraudulent use of your identity.

Your annual income is not a necessary element of your driver’s license. Someday, your age and eyeglasses prescription might be.

Surprisingly, the more robust the credential, the less data might actually be divulged. To convince a security guard to let you enter a Department of Defense research laboratory, you might only need your right eyeball. Nothing else. The Commissionaire guarding the door has absolutely no need to know your name, job title, or where you live.

The architecture of consent

Putting this all together yields the master question facing democratic society: "What will 21st Century transactions look like when they require the full consent of all parties and when the flow of information comes to a mandatory stop without the consent of the real person receiving the service?"

When foundational anonymity becomes the universal starting principle at both the ballot box and the automated teller machine, we will have answered George Orwell, and rather proudly so.